[Samba] Firewall trouble?

Ryan Ashley ryana at reachtechfp.com
Tue Dec 29 16:40:43 UTC 2015 

James, I am at 2008 R2 level. What you just told me is not mentioned on
the wiki and could very well be my problem. I am first going to open 389
TCP and, should that not solve it, allow the ports you specified, but
only from the LAN.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 12/28/2015 11:27 AM, James wrote:
> On 12/28/2015 10:33 AM, Ryan Ashley wrote:
> I recently tried adding a firewall to my Samba 4 server using the port
> information I found on the wiki. Below is a dump of the resulting rules.
> 
> root at dc01:~# iptables -S
> -P INPUT DROP
> -P FORWARD DROP
> -P OUTPUT ACCEPT
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
> --name BLOCKED --rsource
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
> --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP
> -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j
> REJECT --reject-with tcp-reset
> -A INPUT -p gre -j ACCEPT
> -A INPUT -p esp -j ACCEPT
> -A INPUT -p ah -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m multiport --dports
> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT
> -A INPUT -p udp -m state --state NEW -m multiport --dports
> 53,67,88,123,137,138,389,464 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> 
> As you can see, I try to prevent brute-force attacks on SSH, but
> accept data, both TCP and UDP on the ports specified by the wiki
> article. However, when this firewall is on my AD DC server, logins
> take eons, everything is SLOW on workstations, and sometimes
> authentications just plain fail. Why?
> -- Lead IT/IS Specialist
> Reach Technology FP, Inc
>>
> I assume this is for a DC. If so are you using functional level 2008?
> You need to open ports 49152 through 65535 if you are. Level 2003 used
> 1025 through 5000.
>

More information about the samba mailing list